eprintid: 3765
rev_number: 9
eprint_status: archive
userid: 274
dir: disk0/00/00/37/65
datestamp: 2019-12-09 09:16:07
lastmod: 2019-12-09 09:16:07
status_changed: 2019-12-09 09:16:07
type: conference_item
metadata_visibility: show
creators_name: Tran, Nghi Phu
creators_name: Le, Huy Hoang
creators_name: Nguyen, Ngoc Toan
creators_name: Nguyen, Dai Tho
creators_name: Nguyen, Ngoc Binh
creators_id: tnphvan@gmail.com
creators_id: hoangle.hvan@gmail.com
creators_id: ngoctoan.hvan@gmail.com
creators_id: nguyendaitho@vnu.edu.vn
creators_id: nnbinh@vnu.edu.vn
corp_creators: VNU University of Engineering and Technology
corp_creators: People’s Security Academy
title: C500-CFG: A Novel Algorithm to Extract Control Flow-Based Features for IoT Malware Detection
ispublished: pub
subjects: IT
divisions: fac_fit
abstract: Control flow-based features proposed by Ding, static characteristic extraction method, has the ability to detect malicious code with higher accuracy than traditional Text-based methods. However, this method resolved NP-hard problem in a graph, therefore it is not feasible with the large-size and highcomplexity programs. So, we propose the C500-CFG algorithm in Control flow-based features based on the idea of dynamic programming, solving Ding’s NP-hard problem by polynomial complexity O(N^2) algorithm, where N is the number of basic blocks in decompiled executable codes. Our algorithm is more efficient and more outstanding in detecting malware than Ding’s algorithm: fast processing time, allowing processing large files, using less memory and extracting more feature information. Applying our algorithms with IoT data sets gives outstanding results on 2 measures: Accuracy = 99.34%, F1-Score = 99.32%.
date: 2019-09
date_type: published
official_url: http://iscit2019.org/
full_text_status: public
pres_type: paper
pagerange: 568-573
event_title: 19th International Symposium on Communications and Information Technologies (ISCIT 2019)
event_location: Ho Chi Minh City
event_dates: September 25 - 27, 2019
event_type: conference
refereed: TRUE
related_url_url: https://ieeexplore.ieee.org/xpl/conhome/8896981/proceeding
referencetext: [1] Hackers Use Refrigerator. Other Devices to Send 750,000 Spam Emails.
http://www.dailytech.com/
[2] Roger Hallman, Josiah Bryan, Geancarlo Palavicini, Joseph Divita and
Jose Romero-Mariona. IoDDoS - The Internet of Distributed Denial of
Sevice Attacks. 2nd International Conference on Internet of Things, Big
Data and Security. SCITEPRESS, p. 47-58, 2017.
[3] Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and
David Wagner. A Survey of Mobile Malware in the Wild. In Proceedings
of the 1st ACM Workshop on Security and Privacy in Smartphones and
Mobile Devices, 3–14. SPSM ’11. New York, NY, USA: ACM, 2011.
https://doi.org/10.1145/2046614.2046618.
[4] Pa Yin Minn Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. IoTPOT: A Novel
Honeypot for Revealing Current IoT Threats. Journal of Information Processing 24, no. 3 (2016): 522–33. https://doi.org/10.2197/ipsjjip.24.522.
[5] Damshenas, Dehghantanha Ali and Mahmod. A Survey on Malware Propagation, Analysis, and Detection. International Journal
of Cyber-Security and Digital Forensics (IJCSDF) (April 2013).
https://doi.org/10.5120/11480-7108.
[6] Drew Davidson, Benjamin Moench, Somesh Jha and Thomas
Ristenpart. FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution. USENIX. Accessed July
17, 2018. ps://www.usenix.org/conference/ usenixsecurity13/technicalsessions/paper/davidson.
[7] Huy Trung Nguyen, Quoc Dung Ngo, and Van Hoang Le. IoT
Botnet Detection Approach Based on PSI Graph and DGCNN
Classifier. In 2018 IEEE International Conference on Information
Communication and Signal Processing (ICICSP), 118–122, 2018.
https://doi.org/10.1109/ICICSP.2018.8549713.
[8] Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens,
Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe
Hauser, Christopher Kruegel and Giovanni Vigna. State of The Art of
War: Offensive Techniques in Binary Analysis, IEEE Symposium on
Security and Privacy (SP), 2016.
[9] Angr [Online]. Available https://angr.io
[10] Christopher Kruegel and Yan Shoshitaishvili. Using static binary analysis to find vulnerabilities and backdoors in firmware. in: Black Hat
USA, 2015.
[11] Daniel Bilar. Opcodes as Predictor for Malware. International Journal
of Electronic Security and Digital Forensics 1, no. 2 (2007): 156.
https://doi.org/10.1504/IJESDF.2007.016865.
[12] Robert Moskovitch, Clint Feher, Nir Tzachar, Eugene Berger, Marina
Gitelman, Shlomi Dolev and Yuval Elovici. Unknown Malcode Detection Using OPCODE Representation. In Intelligence and Security Informatics, edited by Daniel Ortiz-Arroyo, Henrik Legind Larsen, Daniel
Dajun Zeng, David Hicks, and Gerhard Wagner, 204–215. Lecture Notes
in Computer Science. Springer Berlin Heidelberg, 2008.
[13] Igor Santos, Felix Brezo, Xabier Ugarte-Pedrero and Pablo Garcia
Bringas. Opcode Sequences as Representation of Executables for DataMining-Based Unknown Malware Detection. Information Sciences,
Data Mining for Information Security, 231 (May 10, 2013): 64–82.
https://doi.org/10.1016/j.ins.2011.08.020.
[14] Igor Santos, Felix Brezo, Javier Nieves, Yoseba K. Penya, Borja Sanz,
Carlos Laorden, and Pablo Garcia Bringas. Idea: Opcode-SequenceBased Malware Detection. In Engineering Secure Software and Systems,
Second International Symposium, ESSoS 2010, Pisa, Italy, February 3-4,
2010. Proceedings (pp.35-43)
[15] Yuxin Ding, Wei Dai, Shengli Yan and Yumei Zhang.
Control Flow-Based Opcode Behavior Analysis for Malware
Detection. Computers & Security 44 (July 1, 2014): 65–74.
https://doi.org/10.1016/j.cose.2014.04.003.
[16] Hex-Rays SA. IDA pro Introduction [Available from]. http://www.hexrays.com/products.shtml/
[17] Shodan [Online]. Available https://github.com/detuxsandbox/detux
[18] Virusshare [Online]. Available https://virusshare.com/
[19] Hiroshi Ogura, Hiromi Amano and Masato Kondo. Feature Selection
with a Measure of Deviations from Poisson in Text Categorization.
Expert Systems with Applications 36, no. 3, Part 2 (April 1, 2009):
6826–6832. https://doi.org/10.1016/j.eswa.2008.08.006.
citation:   Tran, Nghi Phu and Le, Huy Hoang and Nguyen, Ngoc Toan and Nguyen, Dai Tho and Nguyen, Ngoc Binh  (2019) C500-CFG: A Novel Algorithm to Extract Control Flow-Based Features for IoT Malware Detection.  In: 19th International Symposium on Communications and Information Technologies (ISCIT 2019), September 25 - 27, 2019, Ho Chi Minh City.     
document_url: https://eprints.uet.vnu.edu.vn/eprints/id/eprint/3765/1/iscit.pdf